Author: Miranda DesPain
The state of the crime insurance market continues to harden due to social engineering fraud and vendor fraud losses across the industry, marked by moderate premium and retention increases. We have noted an increase in submitted claims, primarily social engineering fraud, throughout 2020.
Social engineering fraud claims on the rise, becoming more nuanced
The industry has underwritten to social engineering fraud exposure for roughly five years and, generally speaking, insurance underwriters are not seeing improvement and adherence to appropriate controls in place at organizations. Certain markets, in particular those based in London, were previously willing to offer full limits to cover social engineering fraud under crime policies. By the second half of 2020, we observed that commercial and financial institution crime marketplaces were no longer offering sublimits greater than $1 million, except in rare instances. The average social engineering sublimit is $250,000 to $500,000, with additional underwriting and authority required to consider up to $1 million. Insurers are increasingly more reluctant to provide large social engineering sublimits to new buyers.
Reviewing the terms of your program is always critical, including whether or not you have a social engineering exclusion or explicit coverage (and, if the latter, whether callback verification requirements exist). In some instances, callback requirements have been replaced by authorization attempt language, meaning that insurers' strategy is to offer coverage for situations where an insured's procedure fails, but not for situations where the insured fails to perform the procedure altogether.
The 2020 Association of Financial Professionals (AFP) Payments Fraud and Control Survey Report indicated that 81% of companies were targets of payments fraud last year, the second-highest percentage since 2009. Business email compromise (BEC) was the leading source of fraud for 75% of organizations, with 54% experiencing a financial loss due to BEC.1
Social engineering fraud crimes have increased in sophistication, involving independent contractors and business partners, for example. Reverse social engineering fraud, also known as invoice manipulation fraud or vendor client fraud, is another method of loss caused by a third party's unauthorized access to and manipulation of your invoices sent to clients or vendors. This type of loss can be covered under a cyber insurance policy due to its overlapping elements with a data breach of your system.
Alignment of crime, cyber insurance for claims
The alignment of crime and cyber insurance for certain types of losses is imperative, as cyber insurance policies can offer sublimits associated with both social engineering fraud and reverse social engineering fraud. For traditional social engineering fraud losses, our typical strategy is to first look to the crime policy as a means for insurance coverage. In the event that both policies offer a sublimit, we need to closely evaluate applicability of retentions and other insurance clauses to ensure that the loss is subject to only one retention, and determine whether sublimits apply proportionately.
Ransomware exclusions are becoming prevalent on crime policies, with the intention for this type of exposure to be addressed exclusively under a cyber insurance policy.
The alignment of crime and cyber insurance for financial institutions is more complicated. While the financial institutions bond market is fairly stable, insurers continue to evaluate exposure to cyber-related losses under crime policies. Financial institutions social engineering fraud remains a key issue, as well as electronic or computer crime losses. Certain financial institution bond forms offer virus or hacker extensions and/or data reconstruction costs associated with loss of funds. While the trigger for a bond claim remains a monetary loss, there is a potential for overlap with a cyber insurance policy in instances where destruction of data occurs.
Expectations for the impact of COVID-19 pandemic on crime insurance
With the widespread use of remote work arrangements and increase in electronic processes across the board for organizations, we anticipate there to be an impact on crime losses in the short and long term.
In the short term, we see ongoing frequency of social engineering fraud claims, which may or may not be pandemic-related. We have also experienced claims related to crimes committed due to an increase in arson, theft and vandalism in some cities.
In the long term (18–24 months and beyond), we are bracing for the aftereffects of lax controls due to remote working. We expect to see an uptick in embezzlement schemes that have commenced during the pandemic in 2020. Many companies have pared down staff and are experiencing a variety of issues associated with return-to-work plans.2 Remote work may become a more permanent norm, and this may lead to companies changing procedures during the pandemic that may not be reevaluated properly in the future. For example, a company may not immediately evaluate the checks and balances of having one accountant working solely from home. There may be a false sense of security in such an arrangement, while employees may have access and motivation to steal from an organization due to their own financial distress in a down economy.
In a PwC article released in 2020 describing results from a CFO survey, "How to Prevent the Global Pandemic From Becoming a Fraud Pandemic", forensics experts warned that companies need to shore up their detection and monitoring when fraud becomes part of the crisis. They specifically identify customer fraud and cybercrime as the top two types of fraud, with only 69% of U.S. organizations utilizing corporate controls to detect fraud. About 35% don't regularly test or audit their controls, and 10% have no normal fraud program in place at all. Internal fraud via the creation of fictitious vendor accounts is at a heightened risk, in addition to BEC and phishing attacks from external sources.3
We believe pandemic-related underwriting questions will persist throughout 2021. Specifically, companies will need to provide additional detail on any staff reductions in treasury, internal audit or finance departments, and any changes with regard to financial controls or security of physical inventory. Further, companies may need to confirm that a competitive bidding process is utilized in procurement of third-party vendors or suppliers, as vendor fraud continues to be the largest source of crime claims overall.
Embezzlement remains top loss driver
Similar to previous years, employee dishonesty claims continue to be the top loss driver for crime insurers. Companies with international locations tend to be at higher risk for all types of crime losses. Anecdotally, about 90% of claims involve embezzlement and, of those, 80% are vendor fraud. Vendor fraud tends to be perpetrated most often through non-core expense channels (e.g., information technology, marketing, sales), where those operate with a high degree of autonomy and rarely require purchase orders. This is particularly concerning amidst a pandemic where, for example, vast investments are being made by companies to broaden and secure networks for remote work environments.
Predictions for 2021 for crime insurance
Please note, a client's risk profile is the primary variable dictating renewal outcomes. Loss experience, industry, location and individual account nuances will also have a significant impact on these renewals.
Overall, for 2021, we anticipate the following for crime insurance:
- 5%–15% increases
- Upward pressure on retentions
- Continued focus on social engineering fraud-related controls and processes
- Underwriting scrutiny on pandemic-related concerns
Now more than ever, it's critically important to start renewals as soon as possible, and work with your Gallagher team to deliver a comprehensive and professional submission to underwriters.